NATIONAL PAYMENT SYSTEM: SARB ISSUES CYBER SECURITY DIRECTIVE
-
17 May 2024
-
Financial Sector
-
SA Legal Academy
Please note: In a joint communication dated 26 June 2024, the Financial Sector Conduct and Prudential Authorities drew attention to a notice under the same date announcing that the directive will come into effect on 1 June 2025.
The South African Reserve Bank (SARB) has gazetted a directive on cybersecurity and cyber-resilience within the national payment system. In force three months from publication, the directive will apply to all:
- payment institutions
- payment, clearing and settlement systems
- payment system financial market infrastructures, and
- operators within the national payment system.
This is noting that, according to the directive:
- the national payment system ‘encompasses the entire payment process, from payer to beneficiary, and includes settlement between banks’
- ‘the process includes all … tools, systems, instruments, mechanisms, institutions, agreements, procedures, rules or laws applied or utilised to effect payment’, and that
- the national payment system is a primary component of the country’s monetary and financial system, ... enabl(ing) the circulation of money and assist(ing) transacting parties in making payments and exchanging value’.
Given the introduction of ‘alternative payment solutions that are faster, more cost-effective and more efficient’ – but increasingly dependent on computer networks and third-party IT service providers – the directive is expected to go some way towards:
- mitigating:
- cyber-risk in the national payment system, and
- disruptions that might develop into systemic events in that system
- maintaining the system’s ‘soundness, integrity, safety and efficiency’, and
- reducing the potential for ‘operational, legal and reputational risks’, including:
- business interruptions
- data loss
- fraud
- breach of privacy
- network failures, and
- associated financial loss.
To that end, it prescribes institutional obligations regarding:
- cyber governance and cyber security
- critical operations and information assets
- risk detection
- response and recovery
- testing
- information sharing, and
- reporting
Provision is also made for the SARB to conduct on site supervision and compliance monitoring inspections.
Published by SA Legal Academy Policy Watch
Follow us on X @SALegalAcademy (you can also join us on LinkedIn and Facebook)
There are not comments for this article at the moment, check back later.
You must be logged in to add a comment,
log in now.